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1. Background 

Under the X.509 directory infrastructure, certificate Revocation Lists (CRLs) are issued 
by Certificate Authorities (CAs) to revoke certificates. Because revoked certificates 
cannot be trusted, it is essential that systems using certificates include secure mechanisms 
to verify revocation status. Without such verification, a few compromised certificates 
could be used for wide-scale fraud. There will soon be millions of certificates accepted by 
protocols such as SSL and S/MIME and some fraction of these will need to be revoked. 

Protocols should be optimized for the case where certificates are not revoked, since in 
practice revoked certificates will only be encountered in extraordinary circumstances (i.e., 
cases of attempted fraud). CRLs arc extremely inefficient, since verification of a 
certificate's status requires the entire CRL. As a result, CRLs will become unacceptably 
large in large-scale systems involving millions of certificates. Furthermore, if certificate 
chaining and attribute certificates are used, users must obtain separate CRLs from each 
CA in the chain and every attribute certificate issuer. If CRLs are used for revocation, 
systems must be able to get CRLs from every CA. (This problem can be alleviated 
somewhat by designating CRL repositories, but these systems would consume an 
enormous amount of network bandwidth.) Complete new CRLs must be downloaded 
regularly since users cannot reliably determine whether a given certificate is valid without 
the complete CRL. Network traffic dedicated to CRL distribution could potentially exceed 
all other traffic combined, especially if CRLs arc updated frequently. 

While a variety of measures, such use of only very short-term certificates, can alleviate the 
situation somewhat, certificate validation trees eliminate the major problems associated 
with CRLs without sacrificing security. This document defines structures for certificate 
revocation trees. 



2. System Overview 

Certificate Validation Trees (CVT) trees provide an efficient way for certificate acceptors 
to determine whether certificates have been revoked and allow certificate holders to 
demonstrate that their own certificates have not been revoked. Trees are computed in 
advance by a "semi-trusted" party (such as Integris Security or a CA), which processes the 
data from one or more CRLs into tree form. The issuer is described as "semi-trusted," 
since the operation of the tree issuer is publicly auditable. Any independent party can 
verify that the tree issuer has not inappropriately revoked valid certificates or omitted 
revoked certificates from the tree. The tree's root node is then digitally signed. 

To prove that one or more certificates have not been revoked, the tree leaves spanning the 
certificates in question are required, along with the supporting hashes binding the leaves to 
the tree's root and the digitally-signed root. 
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Certificate validation involves four kinds of entities: CAs, CVT issuers, confirmation 
issuers, and verifiers. The CAs are responsible for issuing certificates and issuing CRJU. A 
CVT issuer collects and verifies CKLs from one or more CAs then constructs a digitally- 
signed, dated certificate validation tree. The signed tree structure is then provided to 
confirmation issuers, which respond to users' requests for revocation information 
regarding specific certificates. 

This document defines formats for the confirmation request, confirmation response, and 
XVT. 



3. Data Formats 



A Confirmation Request is passed from a verifier to a confirmation issuer and identifies 
one or more certificates whose revocation status is to be determined. 



ConfirmationRequest 
version 
application!!) 
hash 

requestList 
requestExtensions 



SEQUENCE { 
Version DEFAULT vl, 
INTEGER, 
Algorithmldentifier, 
SEQUENCE OF Request, 
Extensions OPTIONAL } 



Request ::= SEQUENCE { 

issuerNameAndKeyHash Hash, 
serialNuraber CertificateSerialNumber } 



TssuerNameAndKey 
issuer 

issuerPublicKey 



SEQUENCE { 
Name, 

OCTET STRING } -Use what format! I!?- 



The issuerNameAndKeyHash is computed by hashing an IssuerNameAadKey field 
constructed for the CA in question using a cryptographic hash function (i.e., SHA-1). 



The confirmation issuer responds with a ConfirmationResponse structure: 

CotifirinationResponse SEQUENCE { 

resultStatus ResuItStatus, 
certificateConfirmations SEQUENCE OF 

CertificateConfirmations, 
fonvardinglnfo [1] Fonvardinglnfo OPTIONAL 

- Should make forwardmglnfo an extension 9 if! - 

- NEED TO ADD [OPTIONAL] EXTENSIONS HERE- 
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ResultStatus 

successful 

someCertsUnknown 
inatfdnnedRequest 
requestorUnauthorized 
intern alError 
serverHasNoTree 
noGlobalTree 

} 

Forwardinglnfo 

siteNameList 

CertificateConflrraations 
treeHeader 
version 

minVersionToRead 

signature 

issuer 

thisUpdate 

nextUpdate 

validUntil 

hash 

totalLeafCouut 
rootHash 
crtExtensions 
treeLeafAndPath 



Version 



ENUMERATED { 

( 0 ), "Response has valid confirmaiions- 

( 1 ), -When is this returned?— 

( 2 )» -Illegal confirmation request- 

( 3 ) , -User not authorized to use issuer- 

( 4 ) , -Internal error in issuer- 

( 5 )> -Issuer tree missing or out ofdate- 

( 6 ) -Request reqtdres a global tree- 



SEQUENCE { 
SEQUENCE OF OCTET STRING } 

SEQUENCE { 
SIGNED { SEQUENCE { 
Version DEFAULT vl, 
Version DEFAULT vl, 
Algorithmldentifier, 
GeneralNames, 
GeneralizedTirue, 
GeneralizedTime, 
GeneralizedTime, 
Algorithmldentifier, 
LeatfCount, 
Hash, 

Extensions OPTIONAL }}, 
SEQUENCE SIZE (1..MAX) OF 
TreeLeafAndPath } 

INTEGER (vl(0) } 



TreeSerialNumber 

LeafCount 

Hash 



TreeLeafAndPath 
treeLeaf 
leafPath 



INTEGER 
INTEGER (UMAX) 

OCTET STRING 

— Length must equal hash size 

SEQUENCE { 
TreeLeaf, 

SEQUENCE OF Hash } 



— TreeLeaf must be DER encoded — 
TreeLeaf SEQUENCE { 

leafPosition LeafPosition, 
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leaflData 



LeafData } 
CHOICE { 

[0] UnknownCARange, 
[1] LeafRange } 

SEQUENCE { 

Hash, 

Hash} 



LeafData 

unknownCA_Range 
leafRange 

UnknownCARange 

issuerPublicKeyHashl 
issuerPublicKeyHash2 

LeafRange 

issuerPublicKeyHash 

thisCriUpdate 

nextCriUpdate 

validUntil 

revocationDate 

rangeMinStatus 

rangeStatus 

rangeMiaimum 

rangeMaximum 

leafExtensions 

LeafPosition ::= 

RevocationStatus ::= 
revokedReasonUnspecified 
keyCompromise 
cACompromise 
affiliationChanged 
superseded 
cessationOPOperation 
certificateHold 
expiredNormaliy 
noAcceptableCRL 
unsupportedRange 
unknownStatusOkay 
validCertificate 

CertSerialNumber INTEGER 



SEQUENCE { 

[0] Hash OPTIONAL, 

[1] GeneralizedTime OPTIONAL, 

[2] GeneralizedTime OPTIONAL, 

[3] GeneralizedTime OPTIONAL, 

[4] GeneralizedTime OPTIONAL, 

RevocationStatus, 

RevocationStatus, 
[5] CertSerialNumber OPTIONAL, 
[6] CertSerialNumber OPTIONAL, 
[7] Extensions OPTIONAL } 



INTEGER 

ENUMERATED { 

(0), 

(U 

(2) , 

(3) , 

(4) , 

(5) , 

(6) , 

(7) . 

(8) . 

(32) , 

(33) , 
(64)} 



The treeHeader is digitally signed by the tree issuer and specifies the version of the current 
certificate validation tree, the oldest version with which the structure is backward- 
compatible, the tree serial number, the algorithm used to sign the header, the tree issuer* s 
public key (hashed), the time of tine tree's issuance, optionally the time of the next tree's 
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issuance optionally the time when the tree expires, the secure hash function usea to 
construct the tree, the total number ofleavos present in the tree, and finally the tree s root 
hash The tree serial number values should be assigned sequentially by the tree issuer, 
beginning with zero The tree issuer can either be a misted third party entity (i.e., Integris 
Security) or the CA who originally issued the revoked certificates in the tree. 



4. Verifying confirmations 

f'Hf This section has riot been polished yetj 

Every TreeLeafAndPatb is a cryptographic assertion from the revocation tree issuer that 
no known revoked certificates exist within some range. Either the certificate in question is 
not known to be revoked, is revoked, is from a revoked CA, or is from a CA fer which no 
CR1 is present in the tree. (The third result is important, since applications might accept 
certificates from C As whose CRLs are not in the tree, but no application should accept 
revoked certificates.) 

To determine a certificate's status given a treeHeader and treeLeafandPath, do the 
following: 

1. Check version and signature algori 

2. Verify that the issuer Name in the treeHeader corresponds to a trusted party or 
the CA who issued the certificate in question. If the name is unrecognized, the 
confirmation is invalid. 

3 . Check that the tree is acceptably recent by checking the header validUntil field. 
(See step 9 for checking of the leafs time fields.) 

4. Check that the Hash algorithm is acceptable (i.e., SHA). 

5 . Verify the signature on the treeHeader using the public key corresponding to 
the issuer's name. 

6. Verify that leafPosition < totaDLeafCount. 

7. Using the leafPosition, verify that the leafPath binds the hash of the leaf to the 
rootHash in the signed treeHeader. 

8. If the LeafData is of type UnknownCAJFUnge, verify that the hash of the CA's 
public key lies between issuerPublicKeyHash 1 and issuerPubiicKeyHash2. If 
so, the C A is not in the tree. If not, the leaf is inappropriate. 

9. If the LeafData is of type LeafRange: 

• Verify that the issuerPublicKeyHash matches the hash of the CA's 
public key. (If issuerPublicKeyHash is omitted, it is identical to the tree 
issuer.) If the CA does not match, the leaf is inappropriate. 

• If present, verify that thisCrlUpdate, nextCrlUpdate, and validUntil are 
acceptable. 

• Verify that rangeMmimum, if present, is smaller than or equal to the 
serial number of the certificate in question. Also verify that 
rangeMaximum, if present, is larger than the serial number of the 
certificate in question. 
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• Check the RevocationStatus field. If 32 S RevocatioflStatus < 64, the 
certificate's status, is unknown. The value 32 corresponds to an 
unknown range (i.e., absolutely no revocation information is available). 
The value 33 indicates that no current revocation information is present 
for this range, but this is normal so applications may decide to accept 
certificates io the range. 

• If 64 £ RevocationStatus < 96 or if certificateSerialNumber * 
rartgeMinimura, the certificate is valid. Otherwise the certificate is 
revoked for the reason specified in RevocationStatus. 

The issuerPublicKeyHash values are computed as the hash of the DER-encoded public 
key of the CA The time in thisCriUpdate and optionally nextCriUpdate in the 
LeafRange structure equal OrisUpdate and nextUpdate from the CRL from the specified 
CA which is used in the tree. 



The recipient of a treeLeafAndPath can use the leafPath to verify that each treeLeaf is 
cryptographically bound to the roof: 

Let maxDepth *» f log 2 (tota!LeafCount)l - M rounds up if not an integer. - 
Let y - leafPosition. 

Let i = 0. 

hash[0] = HASHED { treeLeaf } 
For x ~ 0 upto maxDepth- 1 

Let y> = (y © 2") - ((v © 2 X ) mod 2 X ). 

if y* < y then 

hash[i+l] = HASHED { hasfafx] | Ieafrath[x-i] }. 
else if y 1 < totalLeafCount then 

hash[x+l] = HASHED { IeafPath[x-i] | hash(x] }. 

else 
EndFor. 

Assert (hash[maxDepth] = rootHash). 

The operation of the revocation tree issuer can be verified easily, since anyone can verify 

that 



1) all known revoked certificates and CAs should be contained in the tree, and 

2) only known revoked certificates and CAs are contained in the tree. 

A tree can include revocations for multiple CAs so that a single CertificateConfirmattons 
structure can provide assurances for all certificates in a chain. The tree can even include 
revoked non-X.509 certificates (in which case the structure of TreeLeaf might change). 

CertiricateConfinnations messages are quite small; even if the tree includes many millions 
of revoked certificates. For example, each leafPath from a tree with a billion leaves using a 
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hash size of 20 bytes would require about 600 bytes. A single asymmetric signature 
verification can provide assurances for all certificates in the chain. 

Tree construction can be performed in linear time. Using the tree and signed root, 
confirmations can be constructed very efficiently using only insecure hardware. 



5. ASN.1 Module 

CertRevocationTreesDefinitions { joint-iso-ccitt (2) country (16) us (840) 

organization (1) integris (-TBD!!!--) modules (1) 
certRcvocatiooTreesDefinitions (1) } 
DEFINITIONS IMPLICIT TAGS 
BEGIN 

- FJCPORTS all definitions, in particular: 

- CertificateConfirmations, 

- Message syntax to communicate certificate confirmations - 
ConfirmationRequest 
~ - Message syntax to request certificate confirmations - 

IMPORTS 

Algorithmldentifier, SIGNED, Extensions 

FROM AothenticationFramework {joint-iso-ccitt ds(5) 
module(l) authenticationFramework(7) 2} 

- Note definition of Extensions requires application of 

- Technical Corrigendum 1 - 
GeneralName* 

FROM CertificateExtensions {joint-iso-ccitt ds(5) 
modu!e(l) certificateExtensions(26) 0} ; 

- Message syntax to request certificate confirmations — 

ConfirmationRequest ::= SEQUENCE { 

version Version DEFAULT vl, 

application© INTEGER, 

hash Algorithmldentifier, 

requestList SEQUENCE OF Request, 

requestExtensions Extensions OPTIONAL } 



Request SEQUENCE { 

issuerNameAndKeyHash Hash, 
serialNumber CertSerialNumber } 
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- Message syntax to communicate certificate confirmations ■ 
ConfirmationResponse ::» SEQUENCE { 



} 



resultStatus 
certiflcateConfinnations 

forwardinglnfo 



H] 



Results tatu5> 
SEQUENCE OF 

CertificateConfirmatioas, 
Forwardinglnfo OPTIONAL 



ResuItStatus ::= 
successful 

someCertsUnknown 

malformedRequest 

requestorUnauthorized 

intern alError 

serverHasNoTree 

noGlobalTree 



ENUMERATED { 

(0) , 

(1) , 

(2) , 

(3) , 

(4) , 

(5) , 

(6) } 



Forwardinglnfo 

siteNameList 

CertificateConfirmations 
treeHeader 
version 

minVersionToRead 

signature 

issuer 

tbisUpdate 

oextUpdate 

vaiidUntil 

hash 

totalLeafCount 
rootHash 
crtExtensions 
treeLeafAndFath 



Version 

TreeSerialNu m ber 

LcafCount 

Hash 



SEQUENCE { 
SEQUENCE OF OCTET STRING } 

SEQUENCE { 
SIGNED { SEQUENCE { 
Version DEFAULT vl, 
Version DEFAULT vl, 

Algoritbmldentifier, 

GeneralNaines, 

GeneralizedTime, 

GeneralizedTime, 

GeneralizedTime, 

Algorithmldentifier, 

LeafCount, 

Hash, 

Extension* OPTIONAL }}♦ 
SEQUENCE SIZE (L.MAX) OF 
TreeLeafAndPath } 



* INTEGER { vl(0) } 
INTEGER 
INTEGER (L.MAX) 

OCTET STRING 

- Length must equal hash size ■ 
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SEQUENCE { 
TreeLeaf, 

SEQUENCE OF Hash) 



SEQUENCE { 
LeafPosition, 
LeafData } 

CHOICE { 

[0] UnknownGARange, 
[1] LeafRange } 

SEQUENCE { 

Hash, 

Hash} 



TreeLeafAndFath 
treeLeaf 

leaffatb 

- TreeLeaf must be DER encoded 
TreeLeaf 

leafPosition 

leafData 

LeafData ;:- 
unknownCA_Range 
leafRange 

UnknownCARange 

issuerPublicKeyHashl 
i$suerPubiicKeyHash2 

LeafRange ::= 
issuerPublicKeyHash 
thisCrlUpdate 
nntCriUpdate 
validUntil 
revocationDate 
rangeMinStatus 
ranges tatus 
rangeMinimam 
rangeMaximum 
leafExtensions 

LeafPosition ;r= 



SEQUENCE { 

[0] Hash OPTIONAL, 

[1] GeneralizedTime OPTIONAL, 

[2] GeneralizedTime OPTIONAL, 

[3J GeneralizedTime OPTIONAL, 

[4] GeneralizedTime OPTIONAL* 

RevocationStatus, 

RevocationStatus, 
[5J CertSeriaiNumber OPTIONAL, 
[61 CertSerialNumber OPTIONAL, 
[7] Extensions OPTIONAL } 



INTEGER 



ENUMERATED { 

(0), 

(U 

(2) , 

(3) , 

(4) , 

(5) , 

(6) , 

(7) , 

(8) , 

(32) , 

(33) , 
(64) } 



RevocationStatus ; 
unspecified 
keyCompromise 
cACompromise 
affiliationChanged 
superseded 
cessationOfOperation 
certiflcateHoId 
expiredNonnally 
noAcceptableCRL 
unsupportedRange 
unknownStatusOkay 
validCertificate 
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CertSerialNumber INTEGER 
END 
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